Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add CheckSigningTable config option #228

Open
wants to merge 18 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions opendkim/opendkim-config.h
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ struct configdef dkimf_config[] =
{ "Canonicalization", CONFIG_TYPE_STRING, FALSE },
{ "CaptureUnknownErrors", CONFIG_TYPE_BOOLEAN, FALSE },
{ "ChangeRootDirectory", CONFIG_TYPE_STRING, FALSE },
{ "CheckSigningTable", CONFIG_TYPE_BOOLEAN, FALSE },
{ "ClockDrift", CONFIG_TYPE_INTEGER, FALSE },
#ifdef _FFR_CONDITIONAL
{ "ConditionalSignatures", CONFIG_TYPE_STRING, FALSE },
Expand Down
4 changes: 4 additions & 0 deletions opendkim/opendkim.8.in
Original file line number Diff line number Diff line change
Expand Up @@ -282,6 +282,10 @@ Normally
forks and exits immediately, leaving the service running in the background.
This flag suppresses that behaviour so that it runs in the foreground.
.TP
.I \-g
Skip checking the SigningTable for any missing keys in the KeyTable. This
is the same as setting CheckSigningTable=no in opendkim.conf(5).
.TP
.I \-F time
Specifies a fixed time to use when generating signatures. Ignored unless
also used in conjunction with
Expand Down
16 changes: 14 additions & 2 deletions opendkim/opendkim.c
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@
#endif /* _FFR_REPUTATION */

/* macros */
#define CMDLINEOPTS "Ab:c:d:De:fF:k:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"
#define CMDLINEOPTS "Ab:c:d:De:fF:gk:lL:no:p:P:Qrs:S:t:T:u:vVWx:X?"

#ifndef MIN
# define MIN(x,y) ((x) < (y) ? (x) : (y))
Expand Down Expand Up @@ -248,6 +248,7 @@ struct dkimf_config
_Bool conf_noheaderb; /* suppress "header.b" */
_Bool conf_singleauthres; /* single Auth-Results */
_Bool conf_safekeys; /* check key permissions */
_Bool conf_checksigningtable; /* skip checking keys on startup */
#ifdef _FFR_RESIGN
_Bool conf_resignall; /* resign unverified mail */
#endif /* _FFR_RESIGN */
Expand Down Expand Up @@ -5882,6 +5883,7 @@ dkimf_config_new(void)
new->conf_atpshash = dkimf_atpshash[0].str;
#endif /* _FFR_ATPS */
new->conf_selectcanonhdr = SELECTCANONHDR;
new->conf_checksigningtable = TRUE;

memcpy(&new->conf_handling, &defaults, sizeof new->conf_handling);

Expand Down Expand Up @@ -6199,6 +6201,10 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf,
sizeof conf->conf_softstart);
#endif /* (USE_LDAP || USE_ODBX) */

(void) config_get(data, "CheckSigningTable",
&conf->conf_checksigningtable,
sizeof conf->conf_checksigningtable);

(void) config_get(data, "DNSConnect",
&conf->conf_dnsconnect,
sizeof conf->conf_dnsconnect);
Expand Down Expand Up @@ -8323,7 +8329,7 @@ dkimf_config_load(struct config *data, struct dkimf_config *conf,
** missing KeyTable entries.
*/

if (conf->conf_signtabledb != NULL)
if (conf->conf_signtabledb != NULL && conf->conf_checksigningtable != FALSE)
{
_Bool first = TRUE;
_Bool found;
Expand Down Expand Up @@ -15469,6 +15475,7 @@ usage(void)
"\t-e name \textract configuration value and exit\n"
"\t-f \tdon't fork-and-exit\n"
"\t-F time \tfixed timestamp to use when signing (test mode only)\n"
"\t-g \tdo not walk SigningTable when loading config\n"
"\t-k keyfile \tlocation of secret key file\n"
"\t-l \tlog activity to system log\n"
"\t-L limit \tsignature limit requirements\n"
Expand Down Expand Up @@ -15644,6 +15651,11 @@ main(int argc, char **argv)
}
break;

case 'g':
curconf->conf_checksigningtable = FALSE;
break;


case 'k':
if (optarg == NULL || *optarg == '\0')
return usage();
Expand Down
5 changes: 5 additions & 0 deletions opendkim/opendkim.conf.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,11 @@ requires superuser access. A warning will be generated if
.I UserID
is not also set.

.TP
.I CheckSigningTable (Boolean)
If set to yes, it walks the SigningTable on boot when it loads the config

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I commented other place, loading config (and the opportunity of the check) may occure other than on boot, by receiving SIGHUP signal.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

file to check for missing keys in KeyTable. The default is yes.

.TP
.I ClockDrift (integer)
Sets the tolerance in seconds to be applied when determining whether a
Expand Down
9 changes: 9 additions & 0 deletions opendkim/opendkim.conf.sample
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,15 @@

# Canonicalization simple/simple

## CheckSigningTable { yes | no }
## default "yes"
##
## If set, the SigningTable will be checked for missing keys in
## KeyTable when loading the config. This can take a longer time with
## larger databases. Requires opendbx.

# CheckSigningTable yes

## ClockDrift n
## default 300
##
Expand Down